Customer information released in WestJet data breach

WestJet says “it has become aware” that profile data for some of its WestJet Rewards program members was revealed online by what the company calls an unauthorized third party.

The disclosed data did not include credit card or banking information, WestJet said.

The company said it is working with the Calgary Police Service and the RCMP in their investigation of the privacy breach.

“WestJet is in the process of contacting affected guests and we deeply regret any inconvenience this may cause,” said Craig Maccubbin, WestJet Executive Vice-President and Chief Information Officer in a news release.

“It’s hard to say whether (the attack) was targeted,” said cyber-security expert and former Calgary police officer Kathy Macdonald.

She said the hackers might have been testing the security parameters of the WestJet network for another breach, or simply wanted the user info.

The company says it has notified the Information and Privacy Commissioner of Alberta and the federal Privacy Commissioner about the disclosure of personal information.

Macdonald said companies that gather identifying information are being targeted all the time, even if they don’t collect credit card details. She said WestJet should take this opportunity to look at their security and strengthen it.

Companies should dispose of data that is no longer needed, determine if they are collecting more information than they need and ensure proper protection for their most valuable information.

Events like these are becoming increasingly popular.

“A lot of the big organizations have been targeted, multiple times even — Target, Home Depot, Sony, the Hilton family, P.F. Chang’s, I mean the list just goes on and on,” said Macdonald.

She said e-mail is one of the most common attack vectors where hackers send well-crafted messages drawing people to click a link or send personal information.

Last month, personal details about patrons of Calgary’s Cowboys Casino were put online by hackers a year after a massive cyber attack. Information about customer payouts, tracking of gambling habits and the casino’s “elite members list” were among the leak.

In May, a High River charity called Rowan House thwarted an attempted hacking incident by abandoning their website.

In 2016, the University of Calgary paid a whopping $20,000 after a ransomware cyberattack took command of its computer systems. Similarly in November last year, Ottawa’s Carleton University became a victim to a similar attack and hackers demanded the school pay bitcoins in exchange for access to its computer networks.

For consumers, Macdonald said people should be selective to minimize as much risk as possible.

“These companies do protect as much as they can,” she said, but there is no full-proof protection available. “It’s like a lock on the door kind of thing. Nothing is 100 per cent.”